[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnDiscuss] Re: [VulnWatch] CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution (fwd)



Everyone should be using HashDB so this sort of thing doesn't happen
anymore. Download it and try it out today:
http://www.immunitysec.com/hashdb.html

(GPL, of course)

Dave Aitel
Immunity, Inc.


On Tue, 2002-10-08 at 20:29, Rain Forest Puppy wrote:
> 
> 
> ---------- Forwarded message ----------
> Date: Tue, 8 Oct 2002 16:52:44 -0400
> From: CERT Advisory <cert-advisory@xxxxxxxx>
> To: cert-advisory@xxxxxxxx
> Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
> 
>    Original release date: October 08, 2002
>    Last revised: --
>    Source: CERT/CC
> 
>    A complete revision history is at the end of this file.
> 
> Overview
> 
>    The  CERT/CC  has received confirmation that some copies of the source
>    code  for the Sendmail package were modified by an intruder to contain
>    a Trojan horse.
> 
>    Sites that employ, redistribute, or mirror the Sendmail package should
>    immediately verify the integrity of their distribution.
> 
> I. Description
> 
>    The  CERT/CC  has received confirmation that some copies of the source
>    code  for  the  Sendmail  package have been modified by an intruder to
>    contain a Trojan horse.
> 
>    The following files were modified to include the malicious code:
> 
>      sendmail.8.12.6.tar.Z
>      sendmail.8.12.6.tar.gz
> 
>    These  files  began  to  appear  in  downloads  from  the  FTP  server
>    ftp.sendmail.org  on  or  around  September  28,  2002.  The  Sendmail
>    development  team  disabled  the  compromised FTP server on October 6,
>    2002  at  approximately  22:15  PDT.  It  does  not appear that copies
>    downloaded  via  HTTP contained the Trojan horse; however, the CERT/CC
>    encourages  users  who  may  have  downloaded the source code via HTTP
>    during  this  time  period  to take the steps outlined in the Solution
>    section as a precautionary measure.
> 
>    The  Trojan  horse versions of Sendmail contain malicious code that is
>    run  during  the  process  of building the software. This code forks a
>    process  that  connects  to  a  fixed  remote server on 6667/tcp. This
>    forked  process  allows  the  intruder  to open a shell running in the
>    context  of  the  user  who  built  the Sendmail software. There is no
>    evidence  that  the  process  is  persistent  after  a  reboot  of the
>    compromised  system.  However,  a subsequent build of the Trojan horse
>    Sendmail package will re-establish the backdoor process.
> 
> II. Impact
> 
>    An  intruder  operating  from  the  remote  address  specified  in the
>    malicious  code  can  gain unauthorized remote access to any host that
>    compiled  a  version of Sendmail from this Trojan horse version of the
>    source  code.  The  level  of  access  would  be  that of the user who
>    compiled the source code.
> 
>    It  is  important  to  understand that the compromise is to the system
>    that  is  used  to  build the Sendmail software and not to the systems
>    that run the Sendmail daemon. Because the compromised system creates a
>    tunnel to the intruder-controlled system, the intruder may have a path
>    through network access controls.
> 
> III. Solution
> 
> Obtain an authentic version Sendmail
> 
>    The primary distribution site for Sendmail is
> 
>           http://www.sendmail.org/
> 
>    Sites  that  mirror  the Sendmail source code are encouraged to verify
>    the integrity of their sources.
> 
> Verify software authenticity
> 
>    We  strongly  encourage  sites  that recently downloaded a copy of the
>    Sendmail   distribution   to   verify   the   authenticity   of  their
>    distribution,  regardless  of  where  it was obtained. Furthermore, we
>    encourage  users  to  inspect  any and all software that may have been
>    downloaded  from  the compromised site. Note that it is not sufficient
>    to  rely  on  the  timestamps  or  sizes  of  the  file when trying to
>    determine whether or not you have a copy of the Trojan horse version.
> 
> Verify PGP signatures
> 
>    The  Sendmail source distribution is cryptographically signed with the
>    following PGP key:
> 
>      pub    1024R/678C0A03    2001-12-18   Sendmail   Signing   Key/2002
>      <sendmail@xxxxxxxxxxxx>
>      Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
> 
>    The  Trojan  horse  copy  did not include an updated PGP signature, so
>    attempts  to  verify its integrity would have failed. The sendmail.org
>    staff  has  verified  that the Trojan horse copies did indeed fail PGP
>    signature checks.
> 
> Verify MD5 checksums
> 
>    In  the  absence  of  PGP,  you can use the following MD5 checksums to
>    verify the integrity of your Sendmail source code distribution:
>    Correct versions:
> 
>      73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
>      cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
>      8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig
> 
>    As a matter of good security practice, the CERT/CC encourages users to
>    verify,  whenever  possible, the integrity of downloaded software. For
>    more information, see
> 
>           http://www.cert.org/incident_notes/IN-2001-06.html
> 
> Employ egress filtering
> 
>    Egress  filtering  manages  the flow of traffic as it leaves a network
>    under your administrative control.
> 
>    In  the  case  of  the  Trojan  horse Sendmail distribution, employing
>    egress  filtering  can  help  prevent  systems  on  your  network from
>    connecting to the remote intruder-controlled system. Blocking outbound
>    TCP  connections  to  port  6667 from your network reduces the risk of
>    internal compromised machines communicating with the remote system.
> 
> Build software as an unprivileged user
> 
>    Sites  are  encouraged  to  build  software  from  source  code  as an
>    unprivileged,  non-root  user  on  the  system.  This  can  lessen the
>    immediate  impact  of  Trojan  horse software. Compiling software that
>    contains  Trojan  horses as the root user results in a compromise that
>    is  much  more  difficult  to reliably recover from than if the Trojan
>    horse is executed as a normal, unprivileged user on the system.
> 
> Recovering from a system compromise
> 
>    If  you  believe  a  system under your administrative control has been
>    compromised, please follow the steps outlined in
> 
>           Steps for Recovering from a UNIX or NT System Compromise
> 
> Reporting
> 
>    The  CERT/CC  is  interested in receiving reports of this activity. If
>    machines  under  your  administrative  control are compromised, please
>    send  mail  to  cert@xxxxxxxx  with the following text included in the
>    subject line: "[CERT#33376]".
> 
> Appendix A. - Vendor Information
> 
>    This  appendix  contains  information  provided  by  vendors  for this
>    advisory.  As  vendors  report new information to the CERT/CC, we will
>    update this section and note the changes in our revision history. If a
>    particular  vendor  is  not  listed  below, we have not received their
>    comments.
>      _________________________________________________________________
> 
>    The  CERT  Coordination  Center  thanks  the  staff  at  the  Sendmail
>    Consortium for bringing this issue to our attention.
>      _________________________________________________________________
> 
>    Feedback  can  be  directed  to  the  authors:  Chad  Dougherty, Marty
>    Lindner.
>    ______________________________________________________________________
> 
>    This document is available from:
>    http://www.cert.org/advisories/CA-2002-28.html
>    ______________________________________________________________________
> 
> CERT/CC Contact Information
> 
>    Email: cert@xxxxxxxx
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
> 
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
> 
> Using encryption
> 
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
> 
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
> 
> Getting security information
> 
>    CERT  publications  and  other security information are available from
>    our web site
>    http://www.cert.org/
> 
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo@xxxxxxxxx Please include in the body of your
>    message
> 
>    subscribe cert-advisory
> 
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
> 
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
> 
>    Conditions for use, disclaimers, and sponsorship information
> 
>    Copyright 2002 Carnegie Mellon University.
> 
>    Revision History
> October 08, 2002: Initial release
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> 
> iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY
> lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD
> kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A
> /DNWpyNYsGg=
> =fL1h
> -----END PGP SIGNATURE-----
> 
> 

Attachment: signature.asc
Description: This is a digitally signed message part